IF YOU WANT to predict the most important information security tools for CSOs in the coming year, just look at the problems that CIOs are trying to resolve today. Whereas today's security tools are intrusive, clunky and require significant commitment from both staff and users alike, tomorrow's tools will increasingly be automatic and even autonomous. Whereas today's tools are focused on delivering technical capabilities, tomorrow's tools will be focused on delivering concrete results. Finally, as CIOs and executive management focus on what ails them, more and more classic IT problems are going to be rephrased — right or wrong — as security problems.
That's sure to open the door to new solutions. Unfortunately, it will also open the door to new disappointments, as immature tools are frequently not a good match for the problems they seek to solve. So along with next year's likely winners, I've noted some widely hyped technology areas where available tools still earn a "needs improvement" grade. (Fair disclosure: Everybody gets a fair shake in this article, but I've been active in the security industry long enough to accumulate a number of potential conflicts in writing about some of these technologies. Those who want the gory details can see my bio at the end of the story.)
E-Mail Fixes
Without question, two of the most immediate pain points in corporate computing are e-mail-borne viruses and spam. One company I know recently had multiple computers infected by a virus after a sales manager disabled his antivirus software. He turned off the software because it interfered with another program that the manager needed to run. Next year, rather than leave their security in the hands of end users, more and more companies will institute antivirus scanning in their mail servers, their firewalls and even their routers. In the meantime, companies are looking for technology that automatically installs and updates antivirus software without needing any assistance from the PC user.
As for spam, so long as legislators twiddle their thumbs (and probably even if they stop), the amount of unsolicited e-mail circulating through the Internet will only increase. Already a serious problem for Internet service providers — more than 80 per cent of the e-mail received by Hotmail is spam — spam is a growing issue for businesses as well. Companies will increasingly see spam as a security problem and move to widely deploy antispam tools.
The best technologies will combine antispam with antivirus, as Brightmail already does. Until then, spam-only solutions like ChoiceMail, SpamAssassin, Spamnix and SpamSubtract are sure to be quite popular. And while antispam services like SpamCop may remain popular with end users, I believe that businesses will shy away from those services, since they require that each e-mail message be sent offsite for antispam processing — a move that potentially threatens business and client confidentiality.
Astute readers are sure to realise that the confidentiality problems inherent in sending e-mail to another company are also present when you use another company's products on your confidential data behind your firewall. Antispam programs that filter your e-mail necessarily have access to your mail and your e-mail passwords. What guarantee do you have that these programs are not surreptitiously copying this information and sending it somewhere else? The answer is that there are no guarantees unless the source code of the programs is professionally evaluated — and that is one of the reasons behind the perennial push for evaluated software, the Common Criteria and trustworthy operating systems. Expect to see an increased attention to that kind of formal evaluation applied across many different categories of security tools.
Sleuthware
Forensics is likely to be a huge growth area during the coming year. Today, disk forensic programs are popularly used by law enforcement to discover what was on a suspect's hard drive, as well as by attorneys involved in litigation and discovery to search for documents that the other side might possibly be hiding. I expect that as the understanding of these tools grows, many businesses will use them for investigating the computers of problem employees — both before and after termination.
Today, disk forensic tools are divided into high-end programs like Encase, low-end tools like Norton Utilities and free software like @Stake's Task. What's needed are more midrange tools built around specific problems that people want to solve, rather than specific capabilities that programmers have been able to develop. We need tools that can run off a bootable CD-ROM so that they can be used without disturbing the host operating system but still have full access to the Internet so that recovered documents can easily be copied to another machine without resorting to sneakernet or CDRs. What's more, these tools need to be usable with little or no training.
Unfortunately, forensic tools also make great tools for burglars. If one of your employees stayed late in the office and spent the night copying files from people's computers to some website in Argentina, would you ever find out? For most businesses, the answer is no. That's because most businesses simply do not monitor what information is passing over their Internet connection. That leads us to the next hot area for 2003: network forensics analysis tools (NFAT). Right now, several such tools exist on the market, including NetDetector, NetIntercept, NetWitness, NFR, SilentRunner and the open-source program Ethereal. All of these products will capture every packet that moves across your Internet connection and then allow you to reassemble TCP/IP connections so that you can really understand what's going on.
These tools also have their limitations. Unfortunately, with the exception of NetWitness, the current generation is mostly reactive, rather than proactive. Unlike intrusion detection systems, these NFATs don't terminate questionable connections that are in progress. Instead, they simply record everything, under the general assumption that somebody in your organisation might want to do something with the data at some later point in time.
The problem here is that you need to know when to go looking for something. For those of us who are naturally nosy, that's no problem. Even so, most organisations will find that having an NFAT creates an ongoing requirement for additional man power — and that translates into an ongoing expense. The next generation of NFATs will need to be better at learning baseline behavior and automatically reporting abnormalities if they are to be broadly adopted.
This push for higher-level functionality and focusing on specific tasks is already appearing in the world of security scanners. A few years ago, I ran Internet Security Systems' Internet Scanner on a small network, and I ended up with a report of more than 100 pages about potential security problems on the network. New tools such as FoundScan will combine problem detection with intelligent prioritisation, tracking and remediation reports. In other words, more and more scanners will start checking to see if the problems they detect are actually fixed — and that those problems they detect stay fixed.
The Kitchen Sink
I expect more and more products to be delivered as "appliances," rather than as software packages that are loaded onto a Windows or Solaris server. The appliance approach lets a single vendor be responsible for the hardware, the software and the embedded operating system. Appliances also reduce the chances that one program might interfere with another, since the only way that appliances should be communicating with each other (or with the outside world) is through well-established TCP/IP protocols.
The troubling thing about this push to appliances is that most appliances turn out to be rack-mounted PCs running Windows, Linux or FreeBSD. The problem here is that all these operating systems have seen significant security vulnerabilities in the past year and all require constant patching and updating to remain secure. My concern is that many companies selling appliances have failed to devise ways for these systems to be updated in the field; instead, they simply equip the appliance with two Ethernet interfaces and recommend that the management interface be installed behind a firewall. Code Red and Nimda both taught us the fallacy of that approach.
Although biometrics and single sign-on systems are sure to see increased sales in the coming year, I don't expect them to be a potent force for most companies. On the other hand, I expect password synchronisation systems to make significant inroads. Those systems ease the pain for workers who need to use multiple computers and yet also need to change their passwords on a regular basis to ensure security. Synchronisation is a compromise solution, but it's a solution that seems to work.
Finally, I don't expect much breakthrough progress on the encryption front. With the exception of SSL (secure sockets layer), which is both easy to deploy and absolutely vital for securing e-mail delivery, Web transaction and the like, encryption systems are simply too hard to use. That's sad, because file encryption is one of the few ways to minimise the damage that can be caused by a laptop theft. But experience has shown that people protect themselves only against threats that they think are likely, and most people don't expect that their laptop will ever be stolen or misplaced.
Simson Garfinkel is a technology writer based near Boston. Disclosures: He has spoken at Brightmail conferences, formerly served on InterMute's advisory board and has a "tiny, tiny" ownership in the SpamSubtract product, is a friend and former business associate of Spamnix developer Barry Jaspan, and cofounded Sandstorm Enterprises and helped develop its NetIntercept NFAT tool.